While the Indian Premier League gathers thousands of viewers on social media, hackers have created their own competition of phishing schemes. Over 1,000 phishing domains spreading malware and conducting fraudulent activities aimed at the users seeking tickets and free live streams for IPL matches were found by cybersecurity company CloudSEK. This scheme incorporates more than 600 scam ticketing pages and about 400 scam streaming pages. These websites steal money, gather information from users, and plant malware to gain access to passwords, bank accounts, and cryptocurrencies.
These phishing pages are designed to imitate legitimate ticketing websites. They use the same layout, images, and even include team symbols. Victims get PDF tickets featuring booking IDs and QR codes. This fraud becomes evident once victims show up in stadiums but cannot enter because they do not have authentic tickets. These phishing campaigns operate just like legitimate companies with dashboards tracking sales, customers, and advertising results.
The Stream That Stole Everything
Meanwhile, fake streaming websites are targeting fans who want to watch matches for free. These pages are designed to rank for search terms such as “IPL 2026 free live stream” and match-specific keywords. At first glance, they appear legitimate, with play buttons, fixture lists, and video controls.
However, clicking on the stream triggers a chain of redirects, pop-ups, and malicious prompts. Some users are asked to download software. Others are told to paste commands into their devices. Instead of showing cricket, the sites begin stealing data in the background.
SHub Stealer: The Malware Behind the Free Match
SHub Stealer is at the heart of most of these attacks; it is malware that specifically aims at macOS computers. Upon infection, the software gathers saved passwords, browser cookies, Telegram sessions, Apple Keychain, iCloud accounts, notes, and other files from the computer.
Furthermore, the malware is capable of targeting over 100 cryptocurrency wallets, such as Ledger Live, Exodus, and Trezor Suite. Sometimes, it even tries to gather seed phrases, enabling attackers to gain complete control of digital assets. Finally, it establishes an imaginary update service to conceal its tracks and keep gathering information.
Why IPL, and Why Now
These elements have made the IPL a breeding ground for fraudulent activities online. There is very high demand for the tickets, a set time frame for the matches, and impulsive behavior by people due to the fear of missing out on their favorite sport.
As per CloudSEK’s Sourajeet Majumder, the scammers are thorough in planning these attacks. Domains are booked ahead of time. They use false social media posts and recommendations from fake people. Meta Pixel is used to find out which of these advertisements lure more customers. The whole system operates only when there are important games.
